Microsoft fixes 11 flaws in 7 patches; 5 affect Windows Vista
Three of the patches are deemed critical, while four are labeled important by Microsoft.
Microsoft on Tuesday released its December 2007 security bulletin, which includes seven updates: three are designated as critical by the software giant and four are deemed important.
On the Windows side is a cumulative update for Internet Explorer, plus patches for the Windows Kernel, DirectX, Macrovision Driver, and the Windows Media File format--the latter three suggest concern that criminal hackers are targeting media files for exploitation. There are no Microsoft Office updates this month. All Microsoft security patches for Windows and Office software are available via Microsoft Update or via the individual bulletins detailed below.
MS07-063: Important
Entitled "Vulnerability in SMBv2 Could Allow Remote Code Execution (942624)," this bulletin affects users of Microsoft Windows Vista and does not affect users of Windows 2000 or Windows XP SP2, and addresses the vulnerability detailed in CVE-2007-5351. A vulnerability exists in the way data is transferred via SMBv2, which could allow remote code execution in domain configurations communicating with SMBv2.
MS07-064: Critical
Entitled "Vulnerabilities in DirectX Could Allow Remote Code Execution (941568)," this bulletin affects users of DirectX versions 7.0 through 10.0 included within Windows 2000, Windows XP, Windows Server 2003, and Windows Vista. The update addresses two vulnerabilities detailed in CVE-2007-3901 and CVE-2007-3895 that could allow code execution if a user opened a specially crafted file used for streaming media in DirectX. Successful exploitation could allow remote code execution.
MS07-065: Critical
Entitled "Vulnerability in Message Queuing Could Allow Remote Code Execution (937894)," this bulletin affects users of Windows Server 2000, Windows 2000, and Windows XP SP2, and does not affect users of Windows XP Professional x64, Windows Server 2003, or Windows Vista. The update
addresses the vulnerability detailed in CVE-2007-3039. A vulnerability in the Message Queuing Service (MSMQ) could allow remote code execution in implementations on Microsoft Windows 2000 Server, or elevation of privilege in implementations on Microsoft Windows 2000 Professional and Windows XP. Successful exploitation due could allow remote code execution or elevation of privilege.
MS07-066: Important
Entitled "Vulnerability in Windows Kernel Could Allow Elevation of Privilege (943078)," this bulletin affects users of Windows Vista, and does not affect users of Windows 2000, Windows Server 2003, or Windows XP. The update addresses the Windows kernel vulnerability detailed in CVE-2007-5350. Successful exploitation could allow an attack to take complete control of an affected system.
MS07-067: Important
Entitled "Vulnerability in Macrovision Driver Could Allow Local Elevation of Privilege (944653)," this bulletin affects users of Microsoft XP SP2 and Windows Server 2003, and does not affect users of Windows 2000 or Windows Vista. The update addresses a vulnerability in the way the Macrovision driver incorrectly handles configuration parameters detailed in CVE-2007-5587. Successful exploitation could allow elevation of privilege and allow an attacker complete control of the system.
MS07-068: Critical
Entitled "Vulnerability in Windows Media File Format Could Allow Remote Code Execution (941569 and 944275)," this bulletin affects users of Windows Media Runtime Format 7.1, 9, 9.5, and 11, and Windows Media Services 9.1 running on Microsoft Windows 2000, Windows XP SP2, Windows Server 2003, and Windows Vista. This update addresses the Windows Media File Format vulnerability detailed in CVE-2007-0064. Successful exploitation could allow remote code execution if a user viewed a specially crafted file in Windows Media Format Runtime.
MS07-069: Critical
Entitled "Cumulative Security Update for Internet Explorer (942615)," this bulletin affects users of Internet Explorer 5.1, 6, and 7, running on Windows 2000, Windows Server 2003, Windows XP SP2, and Windows Vista. The update addresses the four privately reported vulnerabilities detailed in CVE-2007-3902, CVE-2007-3903, CVE-2007-5344, and CVE-2007-5347. Successful exploitation could allow remote code execution if a user viewed a specially crafted Web page using Internet Explorer.